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(54) Method for secure session key generaticm and authentication 



(57) A key establishment protocol includes the gen- 
eration of a value of cryptographic function, t>^ically a 
hash, of a session key and public information. This 
value is transferred between correspondents together 
the informatron nec^sary to generata the session 
key. Provided the session key has not been compro- 



mised, the value of the cryptographic function will be the 
same at each of the correspondents. The value of the 
cryptographic function cannot be compromised or mod- 
ified without access to the session key. 
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1 EP 0 739 

Description 

The present invention relates to key agreement pro- 
tocols for transfer and authentication of encryption keys. 

To retain privacy during the exchange of informa- s 
tion It is wen known to encrypt data using a key. The key 
must be chosen so that the correspondents are able to 
encrypt and decrypt messages but such that an inter- 
ceptor cannot determine the contents of the message- 
In a secret key cryptographic protocol, the corre- io 
spondents share a (xsmmon key that is secret to them. 
This requires tiie key to be agreed upon between the 
correspondents and for provision to be made to main- 
tain the secrecy of the key and provide for change of tiie 
key should the underlying security be compromised, is 

Public key cryptogiaphic protocols were first pro- 
posed in 1976 by Diffie-Heliman and utilized a public 
key made available to ail potential correspondents and a 
private key known only to the intended recipient. The 
public and private keys are related such that a message 20 
encrypted with the pubtic key of a recipient can be read- 
ily decrypted with the private key but the private key 
cannot be derived from the knowledge of the plaintext, 
ciphertext and public key. 

Key establishment is the process by which two {or 2S 
more) parties establish a shared secret key. called ^e 
session key The session key is subsequently used to 
achieve some cryptographic goal, such as privacy. 
There are two kinds of key agreement protocol; key 
transport protocols In which a key is created by one 30 
party and securely transmitted to the second party; and 
key agreement protocols, in which both parties contrib- 
ute information which jointly establish the shared secret 
key* The number of message exchanges required 
between the parties is called the number of passes. A 35 
key establishment protocol is said to provide implicit key 
authentication (or simply key authentication} rf one party 
is assured that no other party aside from a specially 
identified second party may ieam the value of the ses- 
sion key TTie propaty of inplicit key authenticatton 40 
does not necessarily mean tiiat the second party actu- 
ally possesses the session key. A key establishment 
protocol IS said to provide key confirmation if one party 
is assured that a specially identified second party actu* 
ally has possession of a particular session key If the 45 
authentication is provided to both parties involved in the 
protocol, then the key authentication is said to be mutual 
if provided to only one party, the authentication is said to 
be unliater^. 

There are various prior proposals vi^ich claim to so 
provide implicit key authentication. 

Examples include the Nyberg-Rueppel one-pass 
protooot and the Matsumoto-Takashima-lmai {MTI) and 
the Goss and Yacobi two-pass ixotocols for key agree- 
ment. 55 

The prior proposals ensure that transmissions 
between correspondents to establish a common key are 
secure arKf that an interloper cannot ratarieve the ses- 
sion key and decrypt ^e ciphertext. In this way security 
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for sensitive transacSons such as transfer of funds Is 
provided. 

R>r example, the MTI/AO key agreement protocol 
establishes a shared secret K known to the two corre- 
spondents, in the following manner :- 

t. During initial, one-time setup, key generation and 
publication Is undertaken by selecting and publish- 
ing an appropriate system prime p and generator 
ctcZp in a manner guaranteeing authenticity Corre- 
spondent A selects as a long-term private key a 
random integer "a'\i ^a^p-'2. and computes a long- 
term public key 2^ = a ^ mod p . B generates anal- 
ogous keys b. zg. A and 8 have access to authenti- 
cated copies of each other's long-term public key. 
2. The protocol require the exchange of the follow- 
ing m^sages. 

A^B:a^modp (1) 

A<-S:a^modp (2) 



The values of x and y remain secure during 
such transmissions as it is imprac^cal to determine 
the exponent even when the value of a and the 
exponentiation is known provided of course that p is 
chosen sufficiently large, 

3, To implement the protocol the following steps are 
performed each time a shared key Is required. 

(a) A chooses a random integer x»1sxsp-2, 
and sends B message (1) i.e. mod p. 

(b) B chooses a random integer y,1 ^y^p-2, and 
sends A message (2) i.e. mod p. 

(g) A computes the key K^{a^)^z^^ mod p . 

(d) B computes the key K - (a'^) ^ ^ mod p . 

(e) Both share the key K - a^^"^°y 

in otder to compute the key K, A must i^e his 
secret key a and the random Integer x, both of which are 
known only to him. Similarly B must use her secret key 
b and random Integer y to compute the session key K. 
Pro\nded the secret keys a.b remain unconfi|:M'omised» 
an interioper cannot generate a session key identical to 
the other correspondent. Accordingly, any ciphertext will 
not be decipherable by both correspondents. 

As such this and related protocols have been con- 
sidered satisfactory for key establishment and resistant 
to conventional eavesdropping or man-in-Uie-middle 
attacks, 

fn some circumstances it may be advantageous for 
an adversary to mislead one correspondent as to the 
true Identity of the other correspondent. 

In such an attack an active adversary or interioper 
E modifies messages exchanged between A and B, with 
the result that B believes that he shares a key K with E 
while A believes that she shares the same key K wHh B. 
Even though E does not learn the value of K tiie misln- 
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formation as to the identity of the correspondents may 
be useful, 

A practlcaf scenario where such an attack may be 
launched successfully is the following. Suppose that B 
is a bank branch and A Is an account holder. Certlfi- s 
cates are issued by the bank headquarters and within 
the certificate Is the account infomiation of the holder. 
Si^i^pose that the protocol for elecU-onlc d^osit of funds 
rs to exchange a key with a bank branch via a mutually 
authenticated key agreement Once B has authenti- io 
cated the transmitting entity, encrypted funds are 
deposited to the account number in the certificate, if no 
furSier authentfcatlon Js done In the encrypted deposit 
message (which might be the case to save bandwidth) 
then the deposit will be made to E's account, %5 

It is therefore an object of the present inventim to 
provide a protocol in which the above disadvantages 
are obviated or mitigated. 

According therefore to the present invention there is 
provided a method of authenticating a pair of corre- 20 
spondents A,B to permit exchange of information tiiere- 
between, each of said correspondents having a 
re^ective ps-Jvate key a.b and a pubfic key pA*Pa 
derived from a generator a and respective ones of sard 
private keys a.b, said metiiod including the steps of 25 

i) a first of said correspondents A selecting a first 
random integer x and exponentiating a function f{a) 
including said generator to a power gt'^J to provide a 
first exponentiated function \{<3)^^'^h 30 

ii) said first correspcHident A forwarcb'ng to a second 
con-espondent B a message including said first 
exponentiated function i(a)^^^^: 

ill) said correspondent B selecting a second ran- 
dom integer y and exponentiating a function f'(a) 35 
inciuding said generator to a power g<y? to provide a 
second exponentiated function f{a)9(y); 

iv) said second correspondent B constructing a 
session key K from information made public by said 
first correspondent A and information that Is private 40 
to said second corre^3ondent B, sard session key 
also being constructible by said first correspondent 

A for information made public by B ard information 
that is private to said first correspondent A; 

v) said second corresponds! B generating a value 4s 
h of a function FItcKI where F[ie,K] denotes a cr^p- 
togmphic function applied conjointly to k and K and 
where tt is a subset of the public information pro- 
vided by B thereby to bind the values of n and K; 

vi) said second of said coirespondents B fonA^ard- so 
ing a message to said first correspondent A includ- 
ing said second exponential function f(a)s(y) and 
said value h of said cryptographic function P[k,K\: 

vii) sard first correspondent receiving said message 
and computing a session key from information $s 
made public by said second correspondent B and 
private to said first correspondent A; 

viii) said first correspondent A computing a value h' 
of a cryptogr^hic functim ft,h* F[ic,K]; and 



ix) comparing said values obtained from said cryp- 
tographic functions F to confirm their correspond- 
enca 

As the session key K can only be generated using 
infomiation that is private to either A or B, the binding of 
K with K with the cryptographic function h prevents E 
from extracting K or interjecting a new value function 
that will correspond to that obtained by A. 

Embodiments of the invention will now be 
described by way of exanrple only witii reference to the 
accompanying drawings in which. 

Figure 1 rs a schematic representation of a data 
communication system. 

Referring therefore to Figure 1, a pair of corre- 
spondents, 10,12p denoted as correspondent A and cor- 
respondent B, exchange information over a 
communication channel 14. A cryptographic unit 16,18 
is interposed between each of the correspondents 
10,12 and the channel 14. A key 20 is associated with 
each of the crypto^aphic units 16,18 to convert plain- 
text can-ied between each unit 16,18 and its respective 
correspondent 10»12 into ciphertext can-ied on the 
channel 14. 

in operation, a message generated by correspcwid- 
ent A. 1 0. is encrypted by the unit 1 6 vwth the key 20 and 
transmitted as ciphertext over channel 14 to the unit 18. 

The key 20 operates upon the ciphertext in the unit 
18 to generate a plaintext message for the correspord- 
ent B, 12. Provided the keys 20 correspond, the mes- 
sage received by the correspondent 12 will be that sent 
by the correspondent 10. 

In order for the system shown in Figure 1 to operate 
it is necessary for the keys 20 to be identical and there- 
fore a key agre^ent protocol Is established ttiat allows 
tiie transfer of information in a public manner to estab- 
lish the identical keys. A number of protocols are availa- 
ble for such key generation and embodiments of the 
present Invention will be described below in the context 
of modifications of existing protocols. 

A ccHiimonly used set of protocols are collectively 
known as the Matsumoto-Takashima-lmai or "MTr key 
agreement protocols, and are variants of the Diffie-Hell- 
man key exchange. Their purpose Is for parties A and B 
to establish a secret session key K. 

The system parameters for these protocols are a 
prime number p and a generator a of the multipficative 
group Z*p, Correspondent A has private key a and pub- 
lic key p^ = a*. Correspondent B has private key b 
and public key pg = a^. In alt four protocols exempli- 
fied below, text/^ refers to a string of information that 
identifies party A. If the other correspondent B pos- 
sesses an authentic copy of correspondent A's public 
key. then texlA will contmn A's public-key certificate, 
issued by a taisted center; correspondent B can use his 
authentic copy of the trusted center's public key to verify 
correspondent A's certificate, hence obtaining an 
auf herdic copy of correspondent A*s public key. 
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In each example below it is assumed that arr Inter- 
loper E wishes to have messages from A identified as 
ha^ng originated from E herself- To accomplish this, E 
selects a random integer e, 1;sesp-2, computes 
p^^{Pfl)^^a^^ modp, and gets this certified as her 5 
public key. E does not know the exponent ae, although 
she knows e. By substituting text^ tor textA, tiie corre- 
spondent B will assume that the message originate 
from E rather than A and use E's public key to generate 
the session Key K, E also Intercepts the message from 70 
B and uses hfs secret random integer e to modify its 
contents. A will then use that information io generate 
the same session key allowing A to communicate with 
8. 

The present invention is exemplified by modiftca- is 
X\<ms to 4 of the famiiy of MTI protocols which foil this 
new attack thereby achieving the desired property of 
mutual inpJrcH authentication. In the modified protocols 
exemplified below F(X, Y) denotes a cryptographic func- 
tion applied to a string derived from x and y. Typically 20 
and as exempPified a hash function, such as the NIST 
"Secure Hash Algorrthm"(SHA-1). is applied to the 
siring obtained by concatenating X and Y but it will be 
understood that other cryptographic functions may be 
used. 25 

Example 1 - Ivm/AO protocol 

The existing pn-otocof operates as follows:- 

30 

1. Correspordent A generates a random integer x, 
1^x^p-2, computes a'^, and sends {a^.text^J to 
party B. 

2. Correspondent B generates a random integer y. 
1^y^p-2, computes a^. and sends {a^textB} to 3S 
party A 

3. Correspondent A computes 
K-{a^)^(Pe)'^:.a"^^^^ 

4. Correspondent B computes 

A common key K is thus obtained. However, with 
this arrangement, interloper E have messages 
generated by correspondent A Identified as having orig- 
inated from E in the following manner 4S 

1 . E Intercepts A's message {a'^^textAl and replaces 
it with {a^'.textEJ, The provision of the message 
texlg Iden^ies the message as having originated at 

50 

2. B sends {a^ texts} to ^. who then foiwards 
{(ay)^.textB) to A. Since A receives textg, he 
assumes the message originates at B and. as he 
does not know the v^ue of y, assumes that Is 
valid information. 55 

3. Acomputes K = {a'YiPsf = ^^^^"^"^ ^ 

4. B computes K = [aYip e) ^ = « - 

5. A and B now share the key K, even though B 
believes he shar^ a k^ with E. 



Accordingly any further transactions from A to B will 
be considered by B to have originated at E. B will act 
accordingly crediting instruction to E. Even though the 
interloper E does not learn the value of the session key 
K nevertheless the assumption that the message origi- 
nates at E may be valuable and achieve the desired 
effect. 

To avoid this problem, the protocol is modified as 
follows:' 

1. A generates a random integer x,1^xsp-2, com- 
putes a^ and sends {a^.text^} to party B. 

2. B generates a random integer y,lsy^p"2» and 
computes a^, K^a^) ^(p ^) a ^^'^^'^ , and a value 
h of cryptographic hash function F(ay a^^"^^^) which 
vs a function of pii^ic information n and ^e key K B 
sends {ay.h,textB} to party A. 

3. A computes K = {a^}^(pB)^ - a^^^^^. A also 
computes a value h' of cryptographic hash function 
F(ay K) and verifies that this value is equal to h. 

If E attempts to interpose her identification, text^. 
the attack fails on the modified protocols because in 
each case B sends the hash value F{ie,K), where 7t is B's 
random exponential, thereby binding together the 
values of n and K. E cannot subsequently r^ace the 
value of 7c with and compute F(!n:^K) since E does not 
know K, Even though E knows this is not sufficient to 
extract K from tiie hash value h. Accordingly, even if E 
interposes the value a^^ so that the keys 20 will agree, 
the values h,h' will not. 

Example 2 - MT1/&0 protocol 

in this protocol, 

1. A generates a random integer x,1^x^p-2, com- 
putes iPs)^ =^a^^, and sends {a^^.textA} to party 

2. B generates a random integer y,1sy^p-2, com- 
putes (p;^)^ ^ a^^. and sends {a^yfextg} to party 
A, 

3. Acomputes K= (a^^)^"^a''=a'''^^ 

4. Bcomputes K = (a*^)*"V^-a'**' 

This protocol is vulnerable to the interloper E if, 

1. E replaces A's message {a^'^.textAl with 
{a^\ texts} to identify herself as the originator to the 
message, 

2. B sends {(pe)^ texts) to E, who then computes 
((Pf ) ^) = a^^ and fOHA/ards {a^yfexte} to A, 

3. A computes K^(a ^ '^a^^a"""^^ 

4. B computes K= (a^)^-'a^=a^-"^ 

5. A and B now share the key K even though B 
believes he shares a key with E. 

This protocol may be modified to resist E's attack as 
follows. 
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1. A generates a random integer x,1^x^p-2, com- 
putes (pg)^ - a'^*. and sends {a^'^^text/ij to party 

2. B generates a random integer y.1^y^p-2, and 
computes {p^f^a^', K = {a^")^^V-a""^ . s 
and the value h of hash function F(a^ya^'*'y). B 
sends {a^^.h.texts} to A. 

3. A computes (a^O^'^a^'^a''*^^ . A also 
computes the value h' of hash function F(a"y K) and 
verifies that this value is equal to h< io 

Once again, E cannot determine the session key K 
and so cannot generate a new value of the hash func- 
tion to maintain the d^eption. 



Example 3 - IWTI/CO protocoi 

This protocol operates as fbllows:- 

1. A generates a random integer x,1^x^p-2, com- 
putes (Pe)'^ « a*"^ . and sends {a^'^^text/^} to party 
B. 

2. B generates a randcm integer y,1^y^p-2, com- 
putes (p^) ^ = cc ^ , and sends {a^y texts) to party 

A, 

3. A computes K = (a^^) ^ ■""'=a^^ 

4. B computes K (a ^'') ^'"^^^^a"'^ 

The interfc^er E may interpose her Identity as fol- 
lows:- 

1. E replaces A's message {a^*,text;^} with 

{a'=*^text^]. 

2. B sends {(PE)^.textB} to E, who then computes 
<{P e) ^) ^"^ = ^nd foHA^ards {a^^ texts} to A. 

3. A computes K = (a^^) ^'^''^a''^ 

4. B computes K = (a ^'') ^'^^^^a""^ 

5. A and B now share the key K. even though B 
believes he shares a key with E. 



To avoid thfs attack protocol is modified as fbf lows:- 

1. A generates a random Integer x,1^xgp-2, com- 
putes (p b) ^ - tt*^* . ancl sends {a^^'^.textA} to party 
8. 

2. B generates a random Integer y,1^ysp-2, and 
computes (p^) ^ a . K (a ^^"'^^a , and 
value h of hash function F{cl^\cl^). B sends 
{a^yh,textB}toparty A. 

3. A computes K (a^^) ^"^^=a^^ . A also com- 
putes the value h* of F{<x®y K) and verifies that this 
value is ec^al to h. 

Example 4 - MTf/CI prolocol 

in this protocol:- 
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1. A generates a random integer x.l^x^p-S, com- 
putes {PB)^ = a^^''. and sends {a^^MextAl to 
party B, 

2. B generates a random integer y, 1 ^y^p-2, com- 
putes ^PA)''^ = a^^ and sends {a^^^'.texta} to 
party A. 

3. A computes K^ia'^Y^ a^^''^ 

4. B computes K ^ (a ^ = a ^''^ . 

E can act as an interloper as ^Ilows:- 



E replaces A's message {a^'^^textft} with 



1. 

{a°^^^extEl 

2. B sends {(pE)*'^.textB} to who then computes 
{(Pe)^^)^'^ =<^^^ andfonwards{a^ytexta}toA. 

3. A computes K = {cL^Y-a ^^^^^ . 

5, A and B now share the key K, even though B 
bellies he shares a key with E. 



To avoid tiiis, the protocol Is n^rfted as follows:- 



1. A generates a random integer x,1sxsp-2, com- 
putes (PB)^ = a*^. and sends {a^MextA} to 
party B. 

2. B generates a random integer y,1sy^p-2, and 



computes 



(PA)''' = a 



Qby 



and h - F{a^^Va^^). B sends {a^^yh.texte} to 
party A, 

3, A computes K =: (a^^)'' = a^^''^ A also coti- 
putes h' = F(a**^,K) and verifies that this value is 
equal to h. 



In each of the modified protocols disojssed above, 
55 key confirmation from B to A Is provided. 

As noted above instead of F being a ayptographlc 
hash function other functions could be used. For exam- 
ple, an option available is to choose F = c , where c is 
tiie encryption function of a suitable symmetric-key 
40 encryption scheme, and K is the session key estab- 
lished. Because E cannot generate the session key K, it 
is similarly not able to generate the value of the function 
F and therefore cannot interpose for the correspondent 
A. 

45 The technique described above can be applied to 
other similar key exchange protocols, including all of the 
3 infinite classes of MTI protocols called MTl-A(k), MTI- 
B(k) and MTf-C(k). 

The Goss authenticafed key ®«change protooji is 

50 similar to the MTl/AO protocol, except that the session 
key IS the bitwise exclusive-OR of a^^ and a^'*: that is 
K = a^^ ^ a^'^ instead of being the product of a^^ and 
a'=*'^. Hence the attack on the MTl/AO protocol and its 
modification can be extended rn a straightforward man- 

55 ner to frie case of the Goss protocoi. 

Similarly Yacobi's authenticated key exchange pro- 
tocol IS exactly the same as the MTl/AO protocoL except 
that a is an element of the group of units Z*^ . where n 
is the product of 2 large primes. Again* the attack on the 
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MH/AO protocol and its modification can be extended in 
a stf alghtfbfward manner to the case of the Goss proto- 
col. 

A further way of foiling the Interposition of E is to 
require that each entity prove to a trusted center that ft s 
l^ows the exponent of a thai produces 'tis piMo key R 
before the center issues a certificate for the public key 
Because E only knows "e" and not "ae" It would not 
meet this requirement. This can be achieved through 
zero knowledge techniques to protect the secrecy of the io 
private keys but aiso requires ttie avail^ifity of a trusted 
centre which may not be convenient. 

Each of the above examples has been described 
with a 2 pass protocol for key authentication. One pass 
protocols also exist to establish a key betwe^ cx)rre- is 
spondents and may be similarly vulnerable. 

As an example the Nyberg-Rueppel one pass key 
agreement protocol will be described and a modification 
proposed. 

Th e purpose of this protocol Is for party A and p^y 20 
B to agree upon a secret session key K, 

The system parameters for these protocols are a 
prime number p and a generator a of the multiplicative 
group Z*p. User A has private key a and public key 

= Us^ B has private key b and public key 25 



If interloper E wishes to have messages from A 3s 
identified as having originated from herself, E selects a 
random integer e, 1se^p-2, computes p£ = a®, and 
gets this certified as her public key 

1. £ intercepts A's^messa^e {r.s.textftj and com* 4o 
putes = o.^(Pfi)^ arid a = ra^ . 

2. E then selects a random Integer x\ 1 ^x'gp*2, 
computes r'=: a ^^a mod p and 
s's=x-r'e mod (p-1) , 

3. E sends {r',s\texte} to B. 4S 

4. B recovers the value 

a^*" mod p 

so 

by computing a^ip^Y mod p and then computes 
K = (ra^)^'^=a' modp, 

5. A and B now share the key K even though B 
believes he shares a key wi^ 

55 

To foil such an attack the protocol is modified by 
requiring A to also transact a value h of F{Pa.K}, where 
F is a hash funcfon, an encryption function of a sym- 



metric-key system with key K or other suitable crypto- 
graphic function. The modified protocol is the following. 

1. A selects random integers x and t, 1 sx,t^p-2, 

2. A computes r = {p g) a mod p » 
Ss=x-ramod (p-1>, session key K^^a^modp 
and the value h of hash fmction F{p;j^,K), A sends 
{r,s,h,textA} to B, 

3. B recovers the v^ue a'^ mod p by computing 
^^(Pa)^ n^ocl p and then computes the shared ses- 
sion key K = (ra^)^*^ ==a^modp, B also com- 
putes the value h' of function F{PapK) and verifies 
that this \alue is equal to h. 

Again Uierefore by binding together the public infor- 
mation 7c and the session key K in the hash function, the 
interposition of E m\\ not result in identical hash func- 
tions h,h\ 

in each case it can be seen that a relatively simple 
mcKiification to the protocols involving the binding of 
public and private information in a cryptograpfiic func- 
tion foils th© interposition of interloper E, 

All the protocols discussed ^ove have been 
described in the setting of the multiplicative group Z*p , 
However, they can ail be easily modified to work in any 
finite group in which the discrete logarithm problem 
appears intractable. Suitable choices include the multi- 
pficative group of a finite field (in particular the finite field 
GF{2")» ajbgroups of Z*p order q. and the group of 
pointe on an elliptic curve defined over a finite field. In 
each case an appropriate generator a will be used to 
define the public keys. 

The protocols discussed above can also be modi- 
fied in a straightforward way to handle the situation 
when each user picks their own system parameters p 
and a (or analogous parameters if a group other than 
Z^p is used). 

Claims 

1. A method of authenticating a pair of correspond- 
ents A,B to permit exchange of information therebe- 
tween, each of said correspondent having a 
respective private key a»b and a public key Pa>Pb 
derived from a generator a and respective ones of 
said private ke>^ a.b, said method including the 
st^of 

i) a first of said con-espondents A selecting a 

first random integer x and exponentiating a 
function f{a) including said generator to a 
power g^^^ to provide a first exponentiated func- 
tion f{a)9<''); 

11) said first correspondent A fonA/arding to a 
second correspondent 8 a message including 
said first exponentiated function i{a)^^^h 
ill) said correspondent B selecting a second 
random integer y and exponentiating a function 
f '(a) including said generator to a power g<>'^ to 



1. A selects random integers x and t, 1 ^x.t^p-2. 

2. A compute r = {p b) 'a mod p and 

s x - ra mod (p-1) , and sends {r.s.textA} to B. so 

3. B recovers the value a'^ mod p by computing 
a^{PA)'' mod p and then computes the shared ses- 
sionkey K = (ra^)^'^ = a' mod p. 
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provide a second exponentrated function 

iv) sard second correspondent B constructing a 
session key K from information made public by 
sard first correspondent A and information that 5 
Is private to said second conrespondent B, said 
se^ion key K also being corstrudlble by said 
first con-espondent A for information made pub- 
lic by B and rnformallon ttiat is private to said 
first correspondent A; io 
V) said second correspondent B generating a 
value h of a function F[7r,K] where Ffrc.K] 
denotes a cryptographic function applied con- 
jomtly to 7z and K and where n'lsa subset of the 
public information provided by B thereby to 15 
bind the values of ic and K; 

vi) said second of said correspondents B for- 
warding a message to said first correspondent 
A including said second exponential function 
f{€tr)^^^) and said value h of said cryptographic so 
function F[7i:,K}; 

vii) said first correspondent receiving said mes- 
sage and computing a session key K' from 
information made public by said second corre- 
spondent B and private to said first correspond- S5 
ent A: 

viii) said first correspondent A computing a 
value h' of a cryptographic function F[7i:j<l: and 

ix) comparing said values obtained from said 
cryptographic functions F to ccmfirm their cor- so 
respondence. 

2- A method of claim 1 wherein said message for- 
warded by said first correspondent incliKfes an 
identification of the first coirespondait. 35 

3. A method according to claim 1 wherein said mes- 
sage forwarded by said second correspondent 
includes an identification of saki second corre- 
spHDndent 4o 

4. A method according to claim 3 wherein said mes- 
sage forwarded by said first correspondent includes 
an identification of the first correspondent. 

4S 

5. A method according to claim 1 wherein said first 
function f{a) including said gena-ator Is said gener- 
ator itseli 

6- A method according to claim 1 wherein said second so 
function f (a) including said generator is said gener- 
ator itself, 

7. A method a(xx3rding to claim 6 wherein s^d fir^ 
function f(a) including sard generator is s^d gener- ss 
ator itself. 



8. A method according to claim 1 wherein said first 
function including said generator f(a} includes said 
public key p^ of said second conespondent. 

9. A method according to claim 1 wherein said second 
function aicludlng said generator fa includes said 
jiXiblic key pa of said frst correspondent 

10. A method according to claim 1 wherein said crypto- 
graphic functions F are hashes of k and K 

11- A method of tran^orting a key between a pair of 
correspondents A,B to permit exchange of informa- 
tion therebetween, each of said correspondents 
having a respective private key a,b and a puttie key 
P/^,pg derived from a gen^ator a and respec^ve 
ones of said private keys a*b, said method including 
the steps of 

i) a first of said correspondents A selecting a 
first random integer x and exponentiating a 

function f(a) Including said generator to a 
power gt^5 to provide a first exponentiated func- 
tion fCa)^^^): 

ii) said firaf correspondent A forwarding to a 
second correspondent B a message including 
said first exponentiated function f(a)9^^^; 

ill) said second correspondent B constructing a 
session key K from informatim made public by 
said first correspondent A ^d information that 
is private to said secx)nd correspondent B, said 
session key K also being constructible by said 
first correspondent A from information made 
public by B and information that Is private to 
said first correspondent A; 

iv) both of said first correspondent A and said 
second coirespondents B computing a respec- 
tive value h,h' of function F[7i,K3 where F[7e,K] 
denotes a cryptographic function applied to n 
and K and where it is a subset of the public 
information provided by one of said corre- 
spondents; 

v) at least one of said correspondents corrpar- 
ing s^'d values h,h' obtained from said crypto- 
graphic function F to confirm their 
correspondence: 

12. A method of claim 11 wherein said message for- 
warded by said first correspondent tnclides an 
identi^cation of the f rst correspondent 

13. A method according to claim 11 wherein said mes- 
sage forwarded by said first correspondent includes 
said y/a\ue obtaned from said (^yprtographrc func- 
tion by said first ccwrespondent 

14. A method according to claim 1 1 wherein said val- 
ues obt^ned from s^ cryptogr^hlc tijnctions are 
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obtained from a hash of said public informatiOT and 
said session key K. 

15. A method according to claim 11 wherein said first 
correspondent selects a pair of random integers x 
and t and generates a session key K as i(a)^^^K and 
generates a value r from said fii^t exponentiated 
function f{a)^^^^ which includes a factor exponenttat- 
rng said public key pa of said second ccnrespondent 
8 with said random hteger t to be of the form 

16. A method according to claim 15 wherein said first 
correspondent A generates a value s from a combi- 
nation of said random integer x and said private key 
a and forwards said value of r and said value of s to 
said second correspondent B to permit said second 
corre^X)ndent B to recover said session key K 
using the private key b of s^d second cOTrespond- 
entB. 

17. A method according to claim 16 wherein said ran- 
dom integer x and said private key a are confined 
to produce s such that &=fx-ra mod (p-1) . 

S5 

18. A method according to claim 17 wherein said cryp- 
tographic function F is a hash of said public infor- 
mation K and said session key K. 

1 9. A method according to cfalm 1 8 wherein said public so 
information n is the public key pa of said first corre- 
spondent A, 
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